Yarbo Mobile/Cloud Hardcoded Credentials and Missing Auth Vulnerabilities (CVE-2026-10557)

Vulnerability Overview Vulnerability Name: Yarbo Android/iOS Mobile Application and Cloud Infrastructure Publication Date: June 11, 2026 Alert Code: ICSA-26-162-01 Related Topics: Industrial Control System Vulnerabilities, Industrial Control Systems Scope of Impact Affected Versions: - Yarbo Android/iOS Mobile Application - Cloud MQTT Infrastructure Versions: all/ CVSS Score: v3 9.8 Vendor: Yarbo Equipment: Yarbo Android/iOS Mobile Application and Cloud Infrastructure Vulnerability Type: Use of hardcoded credentials, Lack of authorization Critical Infrastructure Sectors: Commercial Facilities Deployment Countries/Regions: Global Company Headquarters Location: China Mitigation Recommended Practices: - Minimize network exposure; ensure that all control system devices and/or systems are not directly accessible from the Internet. - Place control system networks and remote devices behind firewalls and isolate them from the business network. - Use more secure remote access methods, such as Virtual Private Networks (VPN), when remote access is required, and ensure that the VPN is updated to the latest version. - Conduct appropriate impact analysis and risk assessments before deploying defensive measures. - Implement recommended cybersecurity strategies to proactively defend Industrial Control System (ICS) assets. - Follow internal procedures to report suspicious malicious activity. - Do not click links or open attachments in unsolicited emails. - Refer to resources on avoiding email scams and social engineering attacks. Vulnerability Details CVE Numbers: - CVE-2026-10557 - CVE-2026-7368 Acknowledgments Markus Lassfolk of Truesec reported these vulnerabilities to CISA. Revision History Initial Publication Date: 2026-06-11 Revision History: - 2026-06-11: Initial Release Labels Sector: Commercial Facilities Sector Topics: Industrial Control System Vulnerabilities, Industrial Control Systems Related Alerts Brickcom Cameras: ICSA-26-162-03 Naxclow IoT Platform: ICSA-26-162-02 Schneider Electric EcoStruxure Panel Server: ICSA-26-160-03 Siemens KACO Blueplanet Inverters: ICSA-26-160-02 Additional Information Legal Notice and Terms of Use: Products are subject to this notice and the privacy and use policy. Feedback**: Feedback is welcome via anonymous product surveys. Summary This page primarily introduces two severe vulnerabilities (CVE-2026-10557 and CVE-2026-7368) in the Yarbo Android/iOS mobile application and cloud infrastructure, which could allow attackers to obtain hardcoded credentials, access telemetry data, and send operational commands. CISA provides detailed remediation advice and best practices to reduce the risk associated with these vulnerabilities.

Goal Reached Thanks to every supporter — we hit 100%!

Yarbo Mobile/Cloud Hardcoded Credentials and Missing Auth Vulnerabilities (CVE-2026-10557)